The Russian military hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, don’t have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.
On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia’s GRU military intelligence agency, had breached several French organizations. The agency describes those victims as “mostly” IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris.
Though ANSSI says it hasn’t been able to identify how those servers were hacked, it found on them two different pieces of malware: one publicly available backdoor called PAS, and another known as Exaramel, which Slovakian cybersecurity firm ESET has spotted Sandworm using in previous intrusions. While hacking groups do reuse each other’s malware—sometimes intentionally to mislead investigators—the French agency also says it’s seen overlap in command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents.
Though it’s far from clear what Sandworm’s hackers might have intended in the years-long French hacking campaign, any Sandworm intrusion raises alarms among those who have seen the results of the group’s past work. “Sandworm is linked with destructive ops,” says Joe Slowik, a researcher for security firm DomainTools who has tracked Sandworm’s activities for years, including an attack on the Ukrainian power grid where an early variant of Sandworm’s Exaramel backdoor appeared. “Even though there’s no known endgame linked to this campaign documented by the French authorities, the fact that it’s taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention.”
ANSSI didn’t identify the victims of the hacking campaign. But a page of Centreon’s website lists customers including telecom providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, nuclear power firm EDF, and the French Department of Justice.
In an emailed statement Tuesday, however, a Centreon spokesperson wrote that no actual Centreon customers were affected in the hacking campaign. Instead, the company says that victims were using an open-source version of Centreon’s software that the company hasn’t supported for more than five years, and argues that they were deployed insecurely, including allowing connections from outside the organization’s network. The statement also notes that ANSSI has counted “only about 15” targets of the intrusions. “Centreon is currently contacting all of its customers and partners to assist them in verifying their installations are current and complying with ANSSI’s guidelines for a Healthy Information System,” the statement adds. “Centreon recommends that all users who still have an obsolete version of its open source software in production update it to the latest version or contact Centreon and its network of certified partners.”
Some in the cybersecurity industry immediately interpreted the ANSSI report to suggest another software supply chain attack of the kind carried out against SolarWinds. In a vast hacking campaign revealed late last year, Russian hackers altered that firm’s IT monitoring application and it used to penetrate a still-unknown number of networks that includes at least half a dozen US federal agencies.